Steps oultined by Facebook not enough to protect users: French security researcher

Steps outlined by social media giant Facebookto protect users and prevent app developers from misusing data in the aftermath of the Cambridge Analytica controversy may not be enough, according to a French security researcher who goes by the name of Elliot Alderson, who has highlighted security flaws in the Congress and NaMo apps.

“Facebook’s economic model is to get the data of their users. They will add some checks to avoid this kind of enormous abuse but this is a cat and mouse game. Hackers always find a way,” Alderson told ET in an email interview.

Asked about the repercussions of the controversy on Indian users and voters, Alderson said: “This is the grey area here. We don’t know how this personal data is used on the server side. But as we can see in the Cambridge Analytica case, this data can clearly be used to influence an election.”

Alderson’s revelations on security flaws of the NaMo and Congress apps through the week led to a war of words between the BJP and the Congress over security lapses. Alderson highlighted what he thought were the primary issues with Aadhaar and the apps.

“The primary issue is the lack of security requirements for the companies who collect Aadhaar data. A lot of companies ask for Aadhaar cards and so create their own ‘Aadhaar database.’ The issue is, in most of these cases, this database is poorly secure or not secure at all. This is why I managed to access thousands of Aadhaar cards by using Google search only,” he said.

Alderson’s tweets mentioning how personal data of users on the Congress app was not encrypted and was sent encoded through an HTTP request led to a furore and the app was removed from Google Play Store.

Earlier, Alderson had tweeted that when users create a profile in the NaMo app, all their device info and personal data are sent without their consent to a thirdparty domain. BJP tweeted in response that the permissions required were all contextual and cause-specific and that the data is used only for analytics using a third-party service similar to Google analytics. Congress responded to the allegations stating there was no truth to them and that there had been no breach of data.

“The Congress Android app sent the user data through HTTP without the user consent. The data was encoded but not encrypted. I just monitored the traffic generated by the app. The NaMo app is sending personal user data without their consent. This is not only a violation of the terms and conditions of the Google Play Store but also of the new European rule GDPR,” Alderson told ET.

His reply when asked about his interest in exposing the lacunae of Indian political digital platforms-“ This is fun no?”